Insikt Group has analyzed a renewed infrastructure linked to Predator spyware and found it is still gaining users, despite U.S. sanctions imposed in July 2023.
After a noticeable drop in activity following public exposure and sanctions, Predator spyware has resurfaced. The investigation revealed continued use of the surveillance tools, especially in Africa, with a new customer identified in Mozambique. More than half of the spyware’s known users are located on the African continent. The analysis also uncovered connections to a Czech company, suggesting that the Intellexa Consortium remains active.
In March 2024, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two individuals and five entities linked to the Intellexa Consortium. These groups were accused of developing and distributing Predator spyware, which had been used to target American citizens, including government officials, journalists, and policy analysts. The Treasury Department warned that commercial spyware represents a growing threat, often misused by foreign actors to surveil dissidents and media figures worldwide.
Formed in 2019, the Intellexa Consortium acts as a marketing umbrella for several offensive cybersecurity firms. These companies develop spyware tools for targeted and mass surveillance. The name "Predator" refers to a suite of surveillance technologies capable of compromising devices through zero-click attacks.
Predator spyware is known for its ability to extract data and monitor user activity with high precision.
Insikt Group’s latest findings point to an updated and evasive Predator infrastructure, which includes multiple sophisticated layers and deceptive tactics. The researchers uncovered domains likely used for delivering spyware payloads, some of which suggest regional targets such as the Badinan area in Iraqi Kurdistan. Unlike earlier versions that mimicked legitimate news sites, the new domains use random English or Portuguese words and are hosted across a broader set of networks to reduce traceability.
The infrastructure now features a five-tier system. The first four tiers route traffic through various layers to obscure the source, with Tier 4 often linked to in-country IP addresses associated with customers. Tier 5 remains partly unclear but has been connected to FoxITech, a company based in the Czech Republic with ties to Intellexa. Operators are also deploying fake websites, login pages, and simulated event pages to disguise their activities further.
According to the report, Tiers 1 through 4 directly support the spyware's operations. Tier 5, while less understood, appears central to the broader Predator framework. FoxITech’s involvement has drawn particular attention due to its previous public association with Intellexa.
Since March 2024, Predator activity has been observed in over twelve countries. While operations ceased in some areas like the Democratic Republic of the Congo and Angola following exposure, activity in Angola resumed in early 2025. Mozambique emerged as a new active user, linked to several domains and IPs operated through fake news and lifestyle sites. Another short-lived cluster tied to Eastern Europe could be the result of recent testing or a response to new restrictions.
Insikt Group concluded that Predator continues to be deployed globally, including in Mozambique, despite international scrutiny and sanctions. However, a reduction in the number of operators suggests that public pressure and regulatory measures have disrupted some of Intellexa’s activities. Still, the spyware’s developers have adopted new strategies to avoid detection, reflecting their determination to remain active in the global surveillance market.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
